The present invention relates generally to networks, more particularly to network management, and even more particularly to policy-based network management.
The various features of modem network devices are typically managed as a unit. Consider as an example, a router connected to several networks. The router has multiple interfaces, with each interface representing a connection for routing traffic between one or more of these networks. Each interface of the router can also have multiple capabilities, each of which can affect the traffic in different ways. These different aspects of a single device managed together often presents a difficult to understand interface to the administrator of the network. As a result, the management of even a single device can become a daunting task.
Policy-based network management can help make this task easier to understand and implement. Rules for management of a device are combined to form a policy for the device. The devices to be managed are referred to as enforcement points, the targets of the policy, or more simply as targets.
The purpose of policy-based network management is to coordinate device management across an entity""s network by enforcing rules related to Service Level Agreements (SLAs). SLAs are agreements made between network users and the network provider. Policy is a method of translating those agreements into actions designed to provide the type and level of service agreed upon. A policy describes a set of rules, where a rule specifies a set of conditions with the specific action to take when those conditions are satisfied. The actions described within policy rules generally relate to Quality of Service (QoS) capabilities, e.g. bandwidth allocated or priority assigned to the traffic. By using policy-based network management, a structural format is provided wherein network administrators can avoid the tedious process of individually configuring multiple network devices, e.g., routers and traffic shapers, each of which has its own particular syntax and mapping of QoS actions to device resources. For example, an Access Control List (ACL) maintains a list of network resources which could, among other things, define permissible actions of a port on a router under specified conditions.
Deploying policy involves moving the policy onto a target or policy configuration agent, translating the policy into target-specific configuration, and loading the configuration. If performed one at a time for each target, this process can be complicated and time consuming. In addition, there can be a significant time delay in deploying related policies to one or more targets. Complicating this situation is the fact that deployment of a given policy to its target does not always occur in the order that the policy was moved by the server program and, in fact, implementation on the target may not actually occur due to errors or inconsistencies in the policy. Thus, confusing and conflicting situations can exist when policies are individually deployed. In addition, with multiple targets receiving policies at differing times, it has been impossible to keep track of which targets have actually implemented the policy changes.
Thus, there is a need for a means to simplify the deployment of multiply policies, to have those policies deployed at approximately the same time, and to provide a method for reporting the status of policy deployment on a target by target basis, as well as on an aggregate basis.
The present patent document relates to a novel method for deployment of policy to targets connected to a network for the purpose of controlling the actions of the targets based upon certain predefined conditions. In representative embodiments, the present patent document discloses methods for aggregating targeted policies and deploying such policies at the same time. Mechanisms are also provided whereby the targets can report changes in policy deployment status to a server program which can display such changes.
Electronic systems, such as networks, that comprise resources or processes can control the interaction of such items by means of Quality of Service (QoS) mechanisms. These mechanisms can be controlled at a higher level of abstraction using rules, which relate an action, i.e., controlling the QoS mechanism, to a set of conditions describing when to apply the rule. The combination of one or more rules for a given target is referred to herein as a policy. The controlled items could be for example processes, functions, abstract objects, or physical electronic devices such as computers, printers, etc. Thus, policy refers to the description of behaviors or actions that are desired for the item to which the policy applies. In network systems, policies are typically associated with items that affect the flow of data on that network. In order to affect that network traffic flow, policies are directed toward or targeted at managed or controlled entities.
As referred to herein, a target is a process or resource that is being managed using policy. The managed item itself may be able to recognize and conform to the policy directly, or may be managed by a proxy which recognizes policy information and converts it to configuration information that the managed entity can recognize and conform to.
Using the concept of targets, a particular capability or rule can be isolated to a single manageable element which has that capability or functions according to the rules of the policy. In this way the administrator can more readily deal with the manner in which network traffic is to be treated at specific points in the network.
In aggregated policy deployment to targets as described in various representative embodiments of the present patent document, at least one policy is deployed to multiple targets as a single operation. As an example, consider three devices which could be, for example, three routers with the first device comprising first and second interfaces, with the second device comprising third and fourth interfaces, and with the third device comprising a fifth interface. First, second, third, fourth, and fifth interfaces are also referred to as first, second, third, fourth, and fifth targets respectively. In this example, a first policy and a second policy are deployed in the aggregate as follows: first policy deployed to first, third, and fifth targets and (2) second policy deployed to second and fourth targets.
Primary advantages of the embodiments as described in the present patent document over prior methods for deploying policy are (1) aggregated policy deployment simplifies the number of steps that a user must perform to implement policy in the network, (2) it allows the user to group a related set of policies, and (3) all of the targets destined to receive policy changes do so at approximately the same time, so device configuration changes can be coordinated.
Having initiated an aggregated policy change, the user can track the status of the aggregate operation as well as the individual status changes which comprise the aggregate operation. In representative embodiments, users are able to see how individual targets are responding to the policy deployed to them, as well as recognize when the aggregate set of operations has completed.